Variable HTTP_USER_AGENT contains an operating system and web browser details; not used by Ruwhof.

Variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in real time (Ruwhof resisted on breaking the law).

HTTP Basic authentication was not present as variables AUTH_USER and AUTH_PASSWORD were not carrying any data.

Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80.

They’re still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

After exploring all this loopholes and being in a state of shock…

....Ruwhof wanted to report about the security vulnerabilities to Danske Bank, in an effort to aware them about the risks associated with their Online Banking service.

What He got in return was Nothing!

Firstly, the Bank didn’t has any contact that supports and responds to such disclosures.

Secondly, after managing to get a customer care number, the executive at the other end said: “Our technical guy will look at your finding.”

Then finally, Ruwhof took the Social Network’s route to reach an employee of Danske Bank, where he got success, and reportedly the vulnerabilities were got patched within 24 hours.

Wait, the Story doesn't Ends Here:

After 12 days Danske Bank acknowledged Rowhof and reading that he almost went into the coma, as the Bank thanked him for reporting about a potential vulnerability!

On a serious note, Ruwhof said that with his 17 years of experience, he can differentiate between the good and the bad.

“Someone at Danske Bank has messed up pretty hard, and they’re now covering the situation. That’s not honest and certainly not transparent.”

“For at least two weeks, but probably a lot longer, very confidential customer data in the form of session cookies were leaking on Danske Bank’s web site. With these cookies, it should have been possible to hijack internet banking accounts of their customers. They closed the security hole quickly but are now in denial of it.”

Hacker Attack! Could they Steal from you?

We would suggest the Danske Bank and our readers to have a Good Read of the following links to know the extremities at both the ends.

Researcher and Technical Writer at The Hacker News. An Information Security Consultant and System Auditor, a keen Security Evangelist for all forms of Cyber Security and Denotational Counter Hack Requirements of the Industry, Academia and Society.